andrew has asked for the wisdom of the Perl Monks concerning the following question: 

 $ins = "INSERT INTO `items` (`category`, `itemid`, `description`, `lo
+ngdescription`, `size`, `o1n`, `o1o`, `o2n`, `o2o`, `o3n`, `o3o`, `c1
+n`, `c1v`, `c2n`, `c2v`, `c3n`, `c3v`, `price`, `small`, `large`)
        VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 
+?, ?)";

 $sth = $dbh->prepare("$ins") or die $dbh->errstr;
 $sth->execute(map(scalar param($_), qw(cat itemid des longdes size o1
+n o1o o2n o2o o3n o3o c1n c1v c2n c2v c3n c3v)),$price,$small,$large)
+ or die $dbh->errstr;

[download]
In this code for all the params, if they contain a amp or a quote or any special character like that, could I replace that with there hexidemic value. so ">" would be &gt; and "<" would be &lt;, could that be in my $sth->execute some how??

Replies are listed 'Best First'.
Re: Converting Special Characters
by dws (Chancellor) on Oct 08, 2002 at 02:15 UTC
    (Readers should note that this question is a follow-up to advice given in this thread.)

    You're on the right track about encoding entities, but you're getting off at the wrong station.

    The time to encode entities is as you're generating HTML after you've pulled data out of the database. If you encode them before inserting them into the database, your data gets polluted, and is harder to use for other purposes. (E.g., if you use a report writer, you'll have ugly little HTML entities in your report text.

    Once you've pulled data out of the database, you can use HTML::Entities to encode special characters.

[reply]
    A reply falls below the community's threshold of quality. You may see it by logging in.
Re: Converting Special Characters
by andrew (Acolyte) on Oct 08, 2002 at 20:40 UTC
    As of now I just found out that, it wasnt when I inserted it, cause all my quotes are in the database
[reply]
      But there is this line 4 1/4" x 3" x 5 1/2 high Now once I add it to my databse it just adds 4 1/4??
[reply]
        But there is this line 4 1/4" x 3" x 5 1/2 high Now once I add it to my databse it just adds 4 1/4??

        So far, you've given us one "No no no ... oops" after several go-arounds. I'm growing weary of trying to pry information out of you.

        Your assignment now is to provide a small code fragment that demonstrates this type of truncation. By "demonstrate" I mean insert data into the database, then select it back out, verifying that what came out isn't what went it.

        I still suspect that all of your problems are downstream, after you pulled data that contains quotes out of the database, and when you try to construct HTML from it. When you view the data, you're seeing what you expect, because you haven't done the necessary entity encoding.

        Please prove me wrong by posting a code snippet.

[reply]
        Ok here we go, I insert into my database using this code! 
         $ins = "INSERT INTO `items` (`category`, `itemid`, `description`, `lo
+ngdescription`, `size`, `o1n`, `o1o`, `o2n`, `o2o`, `o3n`, `o3o`, `c1
+n`, `c1v`, `c2n`, `c2v`, `c3n`, `c3v`, `price`, `small`, `large`)
        VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 
+?, ?)";

 $sth = $dbh->prepare("$ins") or die $dbh->errstr;
 $sth->execute(map(scalar param($_), qw(cat itemid des longdes size o1
+n o1o o2n o2o o3n o3o c1n c1v c2n c2v c3n c3v)),$price,$small,$large)
+ or die $dbh->errstr;

        [download]
        Something weird isgoing on with my size cause now it seems to be working, but now I found it adds it all good to database prints it fine, but when it comes to putting in textfield everything after the quote gets wiped out!
[reply]
[d/l]
        actually it will work if I use #&#q#u#o#t#; (please exuse the #'s) but I dont want to type that all the time!
[reply]

Back to Seekers of Perl Wisdom